diff --git a/.github/workflows/mac_codesign.yml b/.github/workflows/mac_codesign.yml new file mode 100644 index 000000000..983721794 --- /dev/null +++ b/.github/workflows/mac_codesign.yml @@ -0,0 +1,24 @@ +name: macOS build and codesign + +on: + workflow_dispatch: # Enables manual trigger from GitHub UI + +jobs: + code-signing: + runs-on: macos-latest + environment: macos-codesign + steps: + - uses: actions/checkout@v4 + - uses: dtolnay/rust-toolchain@1.70 + - name: build + run: | + ./build_tools/make_pkg.sh + - name: Execute Code Signing Script + run: ./mac_codesign.sh + env: + MAC_CODESIGN_P12_BASE64: ${{ secrets.MAC_CODESIGN_P12_BASE64 }} + MAC_CODESIGN_PASSWORD: ${{ secrets.MAC_CODESIGN_PASSWORD }} + # macOS runners keep having issues loading Cargo.toml dependencies from git (GitHub) instead + # of crates.io, so give this a try. It's also sometimes significantly faster on all platforms. + CARGO_NET_GIT_FETCH_WITH_CLI: true + FISH_ARTEFACT_PATH: /tmp/fish-built diff --git a/build_tools/mac_codesign.sh b/build_tools/mac_codesign.sh index 9ee5cb5b2..b8ebea484 100755 --- a/build_tools/mac_codesign.sh +++ b/build_tools/mac_codesign.sh @@ -7,8 +7,7 @@ set -e die() { echo "$*" 1>&2; exit 1; } usage() { - echo "Usage: $0 -f -p [-e ] [ ...]" - exit 1 + die "Usage: $0 -f -p [-e ] [ ...]" } while getopts "i:f:p:e:" opt; do diff --git a/build_tools/make_pkg.sh b/build_tools/make_pkg.sh index 71e8f2d3b..e0ed7c3b9 100755 --- a/build_tools/make_pkg.sh +++ b/build_tools/make_pkg.sh @@ -2,6 +2,31 @@ # Script to produce an OS X installer .pkg and .app(.zip) +usage() { + echo "Usage: $0 [-s] -f -p [-e ]" + exit 1 +} + +set -x +set -e + +SIGN= + +while getopts "sf:p:e:" opt; do + case $opt in + s) SIGN=1;; + f) P12_FILE=$(realpath "$OPTARG");; + p) P12_PASSWORD="$OPTARG";; + e) ENTITLEMENTS_FILE=$(realpath "$OPTARG");; + \?) usage;; + esac +done + +if [ -n "$SIGN" ] && ([ -z "$P12_FILE" ] || [ -z "$P12_PASSWORD" ]); then + usage +fi + + VERSION=$(git describe --always --dirty 2>/dev/null) if test -z "$VERSION" ; then echo "Could not get version from git" @@ -12,16 +37,9 @@ fi echo "Version is $VERSION" -set -x - -#Exit on error -set -e - -# Respect MAC_CODESIGN_ID, or default for ad-hoc. -# Note the :- means "or default" and the following - is the value. -MAC_CODESIGN_ID=${MAC_CODESIGN_ID:--} PKGDIR=$(mktemp -d) +echo "$PKGDIR" SRC_DIR=$PWD OUTPUT_PATH=${FISH_ARTEFACT_PATH:-~/fish_built} @@ -30,14 +48,30 @@ mkdir -p "$PKGDIR/build" "$PKGDIR/root" "$PKGDIR/intermediates" "$PKGDIR/dst" # Pass FISH_USE_SYSTEM_PCRE2=OFF because a system PCRE2 on macOS will not be signed by fish, # and will probably not be built universal, so the package will fail to validate/run on other systems. -{ cd "$PKGDIR/build" && cmake -DMAC_INJECT_GET_TASK_ALLOW=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_EXE_LINKER_FLAGS="-Wl,-ld_classic" -DWITH_GETTEXT=OFF -DFISH_USE_SYSTEM_PCRE2=OFF -DCMAKE_OSX_ARCHITECTURES='arm64;x86_64' -DMAC_CODESIGN_ID="${MAC_CODESIGN_ID}" "$SRC_DIR" && make VERBOSE=1 -j 12 && env DESTDIR="$PKGDIR/root/" make install; } +{ cd "$PKGDIR/build" && cmake -DMAC_INJECT_GET_TASK_ALLOW=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_EXE_LINKER_FLAGS="-Wl,-ld_classic" -DWITH_GETTEXT=OFF -DFISH_USE_SYSTEM_PCRE2=OFF -DCMAKE_OSX_ARCHITECTURES='arm64;x86_64' "$SRC_DIR" && make VERBOSE=1 -j 12 && env DESTDIR="$PKGDIR/root/" make install; } + +if test -n "$SIGN"; then + echo "Signing" + ARGS=( + --p12-file "$P12_FILE" + --p12-password "$P12_PASSWORD" + --code-signature-flags runtime + ) + if [ -n "$ENTITLEMENTS_FILE" ]; then + ARGS+=(--entitlements-xml-file "$ENTITLEMENTS_FILE") + fi + for FILE in "$PKGDIR"/root/usr/local/bin/*; do + rcodesign sign "${ARGS[@]}" "$FILE" + done +fi + pkgbuild --scripts "$SRC_DIR/build_tools/osx_package_scripts" --root "$PKGDIR/root/" --identifier 'com.ridiculousfish.fish-shell-pkg' --version "$VERSION" "$PKGDIR/intermediates/fish.pkg" productbuild --package-path "$PKGDIR/intermediates" --distribution "$SRC_DIR/build_tools/osx_distribution.xml" --resources "$SRC_DIR/build_tools/osx_package_resources/" "$OUTPUT_PATH/fish-$VERSION.pkg" -MAC_PRODUCTSIGN_ID=${MAC_PRODUCTSIGN_ID:--} -productsign --sign "${MAC_PRODUCTSIGN_ID}" "$OUTPUT_PATH/fish-$VERSION.pkg" "$OUTPUT_PATH/fish-$VERSION-signed.pkg" && mv "$OUTPUT_PATH/fish-$VERSION-signed.pkg" "$OUTPUT_PATH/fish-$VERSION.pkg" +# MAC_PRODUCTSIGN_ID=${MAC_PRODUCTSIGN_ID:--} +# productsign --sign "${MAC_PRODUCTSIGN_ID}" "$OUTPUT_PATH/fish-$VERSION.pkg" "$OUTPUT_PATH/fish-$VERSION-signed.pkg" && mv "$OUTPUT_PATH/fish-$VERSION-signed.pkg" "$OUTPUT_PATH/fish-$VERSION.pkg" -# Make the app -{ cd "$PKGDIR/build" && make -j 12 signed_fish_macapp && zip -r "$OUTPUT_PATH/fish-$VERSION.app.zip" fish.app; } +# # Make the app +# { cd "$PKGDIR/build" && make -j 12 signed_fish_macapp && zip -r "$OUTPUT_PATH/fish-$VERSION.app.zip" fish.app; } -rm -rf "$PKGDIR" +# rm -rf "$PKGDIR"